Cyber Threat Intelligence 01 May 2026
-
Industrial Sector
- ABB Edgenius Management Portal
"Successful exploitation of this vulnerability could allow an attacker to send a specially crafted message to the system node allowing the attacker to install and run arbitrary code, uninstall applications, and modify the configuration of installed applications."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-03 - ABB Ability Symphony Plus Engineering
"ABB became aware of vulnerability in the products versions listed as affected in the advisory. The ABB S+ Engineering product versions are affected by vulnerabilities in PostgreSQL version 13.11 and earlier versions. If an attacker gains access to a site’s S+ Client Server network, they could exploit such vulnerabilities by executing arbitrary code and potentially compromising the entire system."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-06 - ABB System 800xA, Symphony Plus IEC 61850
"This vulnerability was privately reported relating to ABB’s implementation of the IEC 61850 communication stack for MMS client applications used in some Automation control system products. Note: IEC 61850 communication typically supports MMS and GOOSE protocols. Some ABB products support both, others only MMS (e.g. S+ Operations and PM 877). In any case, GOOSE communication is not impacted by this reported vulnerability. If an attacker gains access to a site’s IEC 61850 network, then exploiting this vulnerability will result in a device fault (PM 877, CI850 and CI868 modules) and will require a manual restart. If this attack is directed at a S+ Operations node running IEC 61850 connectivity, this will result in a crash in the IEC 61850 communication driver which, if continued a repeating basis, will also result in a denial-of-service situation. Note that this does not have an impact on the overall availability and functionality of the S+ Operations node, only the IEC 61850 communication function. The System 800xA IEC61850 Connect is not affected."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-01 - ABB PCM600
"Successful exploitation of this vulnerability could allow an attacker to send specially crafted messages to the system node resulting in execution of arbitrary code."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-02 - ABB Ability OPTIMAX
"Successful exploitation of this vulnerability could allow an attacker to bypass user authentication on OPTIMAX installations that make use of the Azure Active Directory Single-Sign On integration."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-04 - ABB AWIN Gateways
"Successful exploitation of these vulnerabilities could allow an attacker to remotely reboot the device or complete an unauthenticated query to reveal system configuration, including sensitive details."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-05 - Threat Landscape For Industrial Automation Systems. Australia And New Zealand, Q4 2025
"The cybersecurity situation in Australia and New Zealand is among the most favorable across all regions. In Q4 2025, the region ranked 11th in the percentage of ICS computers on which malicious objects were blocked."
https://ics-cert.kaspersky.com/publications/reports/2026/04/30/threat-landscape-for-industrial-automation-systems-australia-and-new-zealand-q4-2025/ - Exploiting EnOcean SmartServer To Attack Connected Building Management Systems
"Team82’s previous research into the LonTalk protocol and the CEA-852 standard demonstrates the means by which a legacy protocol such as LonTalk is being retro-fitted to support connectivity for building management systems and other smart internet-of-things devices critical to the operation of facilities in various critical industries. While this activity does improve overall management of power systems, heating and cooling systems, physical security systems, and other BMS, it does open up new attackable exposures that could put facilities at risk. We present our research on EnOcean’s SmartServer IoT and i.LON controllers, which connect building automation and management systems to the internet. SmartServer IoT is EnOcean’s modern BMS controller, while the i.LON controllers are legacy devices originally developed by Echelon."
https://claroty.com/team82/research/exploiting-enocean-smartserver-to-attack-connected-building-management-systems
https://www.securityweek.com/enocean-smartserver-flaws-expose-buildings-to-remote-hacking/ - Adapting Zero Trust Principles To Operational Technology
"CISA, in coordination with the Department of War, Department of Energy, Federal Bureau of Investigation, and Department of State, released Adapting Zero Trust Principles to Operational Technology, joint guidance for organizations applying zero trust (ZT) principles to operational technology (OT). Zero trust is a modern, adaptive approach to cybersecurity that eliminates implicit trust and requires continuously validating access based on identity, context, and risk. With advancements in technology, OT systems that were traditionally isolated or manually operated are now increasingly interconnected, digitally monitored, and remotely controlled. This IT-OT convergence introduces new cybersecurity risks that make perimeter-based defenses and implicit trust models inadequate for safeguarding OT systems and the critical physical processes they control."
https://www.cisa.gov/resources-tools/resources/adapting-zero-trust-principles-operational-technology
https://www.cisa.gov/sites/default/files/2026-04/joint-guide-adapting-zero-trust-principles-to-operational-technology_508c.pdf
https://www.infosecurity-magazine.com/news/zero-trust-guidance-operational/
Vulnerabilities
- Critical cPanel And WHM Bug Exploited As a Zero-Day, PoC Now Available
"The critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been leveraged in attempts since late February. It is unclear when exploitation started, but KnownHost, a hosting provider that uses cPanel, said the day the vulnerability was disclosed that "successful exploits have been seen in the wild" before a fix became available. However, KnownHost CEO Daniel Pearson stated that the company has "seen execution attempts as early as 2/23/2026.""
https://www.bleepingcomputer.com/news/security/critical-cpanel-and-whm-bug-exploited-as-a-zero-day-poc-now-available/
https://www.cisa.gov/news-events/alerts/2026/04/30/cisa-adds-one-known-exploited-vulnerability-catalog
https://cyberscoop.com/cpanel-authentication-bypass-vulnerability-cve-2026-41940-exploited/
https://www.securityweek.com/critical-cpanel-whm-vulnerability-exploited-as-zero-day-for-months/
https://www.theregister.com/2026/04/30/cpanel_whn_cves/ - A CVSS 10.0 In Gemini CLI: How Agentic Workflows Are Reshaping Supply Chain Risk
"The flaw lived in how Gemini CLI handled workspace trust in non-interactive environments. When running in headless mode – like a CI/CD job – Gemini CLI automatically trusted the current workspace folder, loading any agent configuration it found there without review, sandboxing, or human approval. That meant an attacker who could place content in a repository’s workspace – by opening a pull request, for example – could plant configuration that the agent would silently trust and act on. The result was direct command execution on the host running the agent, before its sandbox ever initialized. Across every affected workflow, the impact was the same: code execution on the host running the agent gave an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach. Enough for token theft, supply-chain pivots, and lateral movement into downstream systems."
https://novee.security/blog/google-gemini-cli-rce-vulnerability-cvss-10-critical-security-advisory/
https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.html
https://www.securityweek.com/critical-gemini-cli-flaw-enabled-host-code-execution-supply-chain-attacks/
https://www.theregister.com/2026/04/30/googles_fix_for_critical_gemini/ - SonicWall Urges Immediate Patching Of Firewall Vulnerabilities
"SonicWall on Wednesday rolled out fixes for three SonicOS vulnerabilities, urging customers to immediately patch their Gen 6, Gen 7, and Gen 8 firewalls. “These vulnerabilities require immediate firmware updates to maintain security posture. One CVE is rated high severity, and two are rated medium severity,” the company warned. The high-severity flaw, tracked as CVE-2026-0204, allows attackers to bypass access controls and access certain management interface functions, SonicWall notes in an advisory."
https://www.securityweek.com/sonicwall-urges-immediate-patching-of-firewall-vulnerabilities/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004
Malware
- FBI Links Cybercriminals To Sharp Surge In Cargo Theft Attacks
"The U.S. Federal Bureau of Investigation (FBI) warned the transportation and logistics industry of a sharp rise in cyber-enabled cargo theft, with estimated losses in the United States and Canada reaching nearly $725 million in 2025. This represents a 60% surge in losses compared to the previous year, fueled by criminals increasingly using hacking and impersonation tactics to hijack high-value freight. Confirmed cargo theft incidents have risen 18 percent last year alone, while the average value per theft grew 36 percent to $273,990, due to more selective targeting of high-value loads. The bureau said in a public service announcement on Wednesday that threat actors have been infiltrating the computer systems of freight brokers and carriers through spoofed emails and fake web links since at least 2024."
https://www.bleepingcomputer.com/news/security/fbi-links-cybercriminals-to-sharp-surge-in-cargo-theft-attacks/
https://www.ic3.gov/PSA/2026/PSA260430
https://therecord.media/hackers-earning-millions-from-hijacked-cargo-fbi - Defending Against CORDIAL SPIDER And SNARKY SPIDER With Falcon Shield
"Since October 2025, CrowdStrike Counter Adversary Operations has observed a shift in intrusion tradecraft: Threat actors are executing high-speed, SaaS-centric attacks that bypass traditional endpoint visibility. CORDIAL SPIDER and SNARKY SPIDER exemplify this evolution as distinct adversaries conducting rapid data theft and extortion campaigns with striking operational similarities. In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications. By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders."
https://www.crowdstrike.com/en-us/blog/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield/
https://cyberscoop.com/crowdstrike-cordial-spider-snarky-spider-extortion-attacks/ - Deep#Door Stealer: Stealthy Python Backdoor And Credential Stealer Leveraging Tunneling, Multi-Layer Persistence, And In-Memory Surveillance Capabilities
"Securonix Threat Research analyzed a stealthy Python-based backdoor framework, dubbed Deep#Door, which uses an obfuscated batch loader to deploy a persistent surveillance and credential-stealing implant on Windows systems. The intrusion chain begins with execution of a batch script (install_obf.bat) that disables Windows security controls, dynamically extracts an embedded Python payload (svc.py), and establishes persistence through multiple mechanisms including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions. Unlike traditional malware loaders that rely on external payload downloads, Deep#Door embeds its Python implant directly inside the dropper script and reconstructs it in-memory and on disk during execution."
https://www.securonix.com/blog/deepdoor-python-backdoor-and-credential-stealer/
https://thehackernews.com/2026/04/new-python-backdoor-uses-tunneling.html
https://www.infosecurity-magazine.com/news/deepdoor-python-backdoor-windows/ - More PayPal Emails Hijacked To Deliver Tech Support Scams
"Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services. In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices. In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members."
https://www.malwarebytes.com/blog/news/2026/04/more-paypal-emails-hijacked-to-deliver-tech-support-scams - Silver Fox Uses The New ABCDoor Backdoor To Target Organizations In Russia And India
"In December 2025, we detected a wave of malicious emails designed to look like official correspondence from the Indian tax service. A few weeks later, in January 2026, a similar campaign began targeting Russian organizations. We have attributed this activity to the Silver Fox threat group. Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits or prompted users to download an archive containing a “list of tax violations”. Inside the archive was a modified Rust-based loader pulled from a public repository. This loader would download and execute the well-known ValleyRAT backdoor. The campaign impacted organizations across the industrial, consulting, retail, and transportation sectors, with over 1600 malicious emails recorded between early January and early February."
https://securelist.com/silver-fox-tax-notification-campaign/119575/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- ABB Edgenius Management Portal
